SEC501 6 Data Loss Prevention Eric

Cole
Visit to download the full and correct content document:
https://textbookfull.com/product/sec501-6-data-loss-prevention-eric-cole/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Security and Loss Prevention 7th Edition Philip P.

Purpura

https://textbookfull.com/product/security-and-loss-
prevention-7th-edition-philip-p-purpura/

Legal Liabilities in Safety and Loss Prevention 3rd

Edition Thomas D. Schneid

https://textbookfull.com/product/legal-liabilities-in-safety-and-
loss-prevention-3rd-edition-thomas-d-schneid/

Loss Data Analysis The Maximum Entropy Approach 1st

Edition Henryk Gzyl

https://textbookfull.com/product/loss-data-analysis-the-maximum-
entropy-approach-1st-edition-henryk-gzyl/

Student Solutions Manual to Accompany Loss Models From

Data to Decisions Klugman

https://textbookfull.com/product/student-solutions-manual-to-
accompany-loss-models-from-data-to-decisions-klugman/
Broken Lyssa Cole

https://textbookfull.com/product/broken-lyssa-cole/

Working as a Data Librarian A Practical Guide Eric O.

Johnson

https://textbookfull.com/product/working-as-a-data-librarian-a-
practical-guide-eric-o-johnson/

All I Want for Christmas Is Drew 1st Edition Lila Cole

[Cole

https://textbookfull.com/product/all-i-want-for-christmas-is-
drew-1st-edition-lila-cole-cole/

Arrogant Assassin Hero Club 1st Edition Lyssa Cole Hero

Club Cole Lyssa

https://textbookfull.com/product/arrogant-assassin-hero-club-1st-
edition-lyssa-cole-hero-club-cole-lyssa/

POW/MIA Accounting Paul M. Cole

https://textbookfull.com/product/pow-mia-accounting-paul-m-cole/
| A D V A N C E D SECURITY ESSENTIALS - ENTERPRISE DEFENDER

Loss Prevention
 Data Loss Prevention (DLP)

©2016 Dr. Eric Cole

All Rights Reserved
Version A12 02

SEC Advanced Essentials

This page intentionally left blank.

©2016 Dr. Cole 1

 Course Outline
• Risk Management
- Calculating and understanding risk across an organization
- Applying proactive risk-management processes
- Incorporating risk management into all business processes
• BCP/DRP
• Insider Threat
• Data Classification
- Building a data classification program
- Key aspects on deploying and implementing classification of critical information
- Staged roll out of classifying new and existing Information
- Managing and maintaining portable data classification
• Digital Rights Management
- Understanding what digital rights are
- Balancing digital rights with data classification
• Data Loss Prevention
- Identifying requirements and goals for preventing data loss
- Peeling through the hype of DLP
- Identifying practical DLP solutions that work
- Managing, evaluating, Implementing, and deploying DLP

SEC 501 Advanced Security

This page intentionally left blank.

2 © 2 0 1 6 Dr. Cole
 Introduction to Data Loss
Prevention
• Protection of information:
- Data in transit
- Data at rest
- Data classification
• Overall information protection and risk program

SEC Advanced Security Essentials

Introduction to Data Loss Prevention

When dealing with information security in any form, there are generally two types of protection levels
we must be concerned with:

• Data in transit (involves the security of devices used in communications)

• Blackberry devices
• VPNs
• Etc.

• Data at rest (the security of media where stored)

• Physical access/storage
Encryption of media

©2016 Dr. Eric Cole

 Risk Management

SEC 501 Security Essentials

The following slides are designed to discuss and clarify the risk management process.

©2016 Dr. Cole

 Intro to Risk Management

• Fundamentally, information security is about risk

- To be a top-tier security professional,
understanding risk is essential
• Businesses don't care about information security; they
care about business
- Ultimately, security is concerned with managing
risks to a business
• 800-30: Risk Management Guide for
Information Technology \s a great
introduction

SEC 501 Advanced

Intro to Risk Management

One of the most important concepts that an information security professional can understand is that
of risk. Ultimately, the of most security professionals boils down to risk management.
Unfortunately, most information security professionals lack a keen understanding of risk
management principles and simply make recommendations without truly appreciating the risk
ramifications to their organization.

Security professionals must understand that the purpose of the organization is to fulfill its mission.
The purpose of a security professional is to help the business make informed decisions about security
issues that could potentially compromise the organization's mission.

A great primer to risk analysis and risk management is found in NIST's Special Publication 800-30:
Risk Management Guide for Information Technology

[1]

©2016 Dr. Cole

 The Definition of Risk

• Before we can manage we must

understand what it means
• The most simplistic definition of risk typically
given is:
Risk = Threat x Vulnerability
• Sounds general, but is particular
- Particular vulnerability being exploited by a
threat

501 Essentials

The Definition of Risk

Naturally, for the security professional to understand how to effectively manage risk, she must first
understand risk. The simplest definition of risk associated with information security is:

Risk = Threat x Vulnerability

Appreciate that although the definition looks fairly general, it is actually particular. Risk is calculated
for particular threat/vulnerability pairs.

On the surface the definition Risk = Threat x Vulnerability appears fairly simplistic and
straightforward. However, actually calculating values can be quite challenging. To appreciate these
challenges, we will parse the underlying concepts of threat and vulnerability and also fill in some gaps
in this oversimplified definition.

6 ©2016 Dr. Cole

 Parsing the Definition

• Risk = Threat x Vulnerability:

- Definition seems simple
- Understanding and applying the principles can
be complex, especially because cost is a factor
- Additional calculations are almost always
required beyond just threat and vulnerability
• To mitigate risks we must understand both
threats and vulnerabilities, as well as their
interaction
SEC Essentials

Parsing the Definition

Working with the simplified risk definition, Risk = Threat x Vulnerability, might give the impression
that these calculations are easy to perform. However, this definition sometimes gives a false sense of
simplicity. Yes, to decrease risk all the security professional has to do is to decrease the threats or
vulnerabilities. Seems straightforward enough, and it would be if we had unlimited time and money.
However, most organizations are limited on both of these resources, which forces decisions to be
made about which threats or vulnerabilities to decrease, and how much they will be decreased with
the various

In addition, there are important factors that inform the definition that are omitted in this simplistic
definition, as we will see.

©2016 Dr. Eric Cole

 Cover Your Assets

• Risk assessments and calculations are based on

what bad things can happen to your systems
• The goal is to determine:
- What could happen?
- Is it actually going to happen?
- How bad would it be?
- What could make it better?
• To appreciate these questions, we must know
the organization and the systems

SEC Advanced Security

Cover Your Assets

Before we dive deep into the definition, let's take a step back and appreciate what we are hoping to
understand and achieve through this process. Rather than precise words with specific meanings, let's
use some simple questions to drive the process.

The goal is to determine answers to the following questions:

• What could happen?
• Is it actually going to happen?
• How bad would it be?
• What could make it better?

These straightforward questions illustrate most of what is done in risk analysis and risk management.
Now we turn our attention to parse the more technical side of these questions.

>2016 Dr. Cole

 Threats

• Threats are anything that can cause harm to an

information system
• Threat agents or threat sources are what is behind a
particular threat
• Threats = potential for a threat agent to cause harm by
exploiting a particular vulnerability:
- Threat agent: Organized crime
- Threat: System compromise through server-side attack
• Understanding motivation and capabilities of threat
sources is important

SEC Advanced Essentials

Threats
The first item in our definition to be parsed is the concept of a threat. A threat is simply something that
can bring harm to an information system. Though our simplistic definition doesn't include this element,
there is always a threat-source (aka threat-agent) that serves as the cause of the threat.

Let's use an example threat statement. Our web server will be DoSed via a server-side attack against the
vulnerability associated with 1-100.

1-100 is a patch for a vulnerability in ASP.NET that allowed a DoS to be introduced by targeting
ASP.NET's hash table generation for POST variables. This attack would be most likely be carried out by
sending an HTTP POST with an extremely large number of POST variables set to introduce a hash
collision.

The threat is a denial of service condition on a web server. The threat remains regardless if this particular
vulnerability exists on the web server. The risk for this particular threat vulnerability pair would be likely
eliminated if the patch were successfully deployed.

We do not see anything about the threat source in the threat statement. It is actually fairly common for
organizations to ignore the threat sources. However, the threat source becomes especially important when
we try to determine another key concept, likelihood, which will be reviewed later. Key questions
concerning the threat source are whether the source is motivated and whether the source is capable of
introducing this threat.

©2016 Dr. Cole 9

 Vulnerabilities

• A vulnerability is a weakness in a system

that could potentially be exploited
• Without an applicable vulnerability threats
cannot introduce risk
• So, have no vulnerabilities ...
- Yup, good luck with that one
- Is it even possible to have no
vulnerabilities?
Advanced

Vulnerabilities
Even if there are numerous motivated threat agents and there is no vulnerability, there is no risk. In the
previous threat statement, "Our web server will be DoSed via a server-side attack against the vulnerability
associated with 1-100," a vulnerability is mentioned. If we are not vulnerable to the vulnerability
associated with 1-100, then we have no risk.

Potential ways in which this vulnerability would not exist include the server is patched; the server is not
using IIS; the server is using IIS, but not ASP.NET; and the server is not Windows-based. Again, these are
potential ways in which the vulnerability might not be present and is not necessarily true of

So, to not have any risk all, we have to do is have zero vulnerabilities. Sounds straightforward enough.
Run a vulnerability scanner. Get everything patched. What is so hard about that?

10 © 2 0 1 6 Dr. Cole
 Types of Vulnerabilities
• Everyone would prefer to have no vulnerabilities
and therefore have no risk
• For third-party systems/applications vendors
release security advisories and patches:
- Known vulnerabilities with known patches
- The vulnerability already existed before the advisory;
you just didn't know about it
• Zero-day vulnerabilities are those not publicly
known
- Targeted with zero-day exploits
501 Advanced Security Essentials

Types of Vulnerabilities
Although in theory patching every vulnerability might sound possible, reality is a different case. Patching
Microsoft vulnerabilities is easier than almost all other vendors, and yet organizations are still often
compromised by exploitation of these vulnerabilities. Then realize that the organization has to patch
every known flaw on every system (including printers, access control systems, HVAC, and such).
Sounds pretty tough, yet even if an organization were successful in patching everything, it would still
have exploitable vulnerabilities.

Even if you patch everything you know to patch, you have still failed. Why? Those vulnerabilities that
we patch (sometimes >10 years after the OS/application's release date) existed long before we ever had a
patch. Someone, even if it were just the vendor, was aware of the issue in advance of the patch's release.
Vulnerabilities for which there are no patches are known as Oday or zero-day vulnerabilities.

Although it is unlikely that your organization will be targeted with a zero-day vulnerability (outside of
custom applications), these vulnerabilities exist. What is the point? Why do we care? We need to
appreciate that a modern information system's risk is never practically ever going to be zero.

©2016 Dr. Cole 11

 Exploits

• Exploitation is the process of a threat taking

advantage of a
- Exploit code is source or binary code that eases
the exploitation process for the attacker
- The actions triggered by the exploit are called
the
• These terms are not perfect, especially when
applied to environmental threats, but are
important to understand

SEC 501 Advanced Essentials

Exploits
Having already used this term, the meaning of an exploit is likely clear. An exploit is the means by
which a threat exercises a vulnerability. An attacker (threat source) exploits a vulnerability. In
addition to exploit used as a verb for understanding the risk equation, it is also necessary to
understand the term, exploit code. Exploit code is source or binary code that eases the ability for an
attacker to exploit a vulnerability.

When the concept of vulnerability scoring is introduced later, the existence of publicly available
exploit code is one of the items that can increase a vulnerability's overall score.

Another concept related to exploits and exploitation is that of a payload. The payload, in exploitation
terminology, is what action the attacker wants to carry out as a result of the exploitation. Getting a
shell, adding a user, and files are some examples of loads. Payloads are part of the
post-exploitation portion of an attack.

12 ©2016 Dr. Cole

 Exploits and Illustrated
To launch an attack, the adversary must select an exploit

ms04_007_kiUbiU.rb
rb

negotiate tunc

... and also a payload

rb rb vncinject.rb
x64

Advanced Security Essentials

Exploits and Payloads Illustrated

To illustrate exploits and payloads a bit better, screen shots are provided. The directory contents
shown correspond to Metasploit exploits and payloads.

As can be seen in the upper screen shot, these exploits are tied directly to particular Microsoft SMB
vulnerabilities that have available patches.

In the lower screen shot, we see a few options of what actions the attacker might trigger: command
shell access; VNC (remote GUI) access, uploading and executing a binary of the attacker's choosing;
and the incredibly advanced Meterpreter payload.

For additional information on the outstanding open source Metasploit project, see

©2016 Dr. Cole

 Likelihood

• Likelihood can be an additional input into the risk equation

outside of just threat and vulnerability
- The goal is to determine how likely it is that the threat
will exercise the vulnerability
• Key questions:
- How motivated is the threat agent?
- How capable is the threat agent?
- How easily can the vulnerability be exploited?
- What existing thwart the exploitation?

Advanced

Likelihood
Merely understanding the concepts of threat and vulnerability is not sufficient for performing risk
assessments. Likelihood is another key concept that helps inform our risk management.

Likelihood assessments attempt to determine how likely successful exploitation of the vulnerability
will be. Several factors inform the likelihood of successful exploitation. These factors include threat
motivation; threat capabilities; ease of exploitation; and existing controls and countermeasures.

Understanding how likely a scenario is can help to determine what an appropriate risk-based
response will entail. The more likely a scenario, the greater the risk.

14 ©2016 Dr. Cole

 Impact

• Impact considerations seek to answer the question:

- When the threat exercises the vulnerability, what
would be the result?
• Impact is another key input into risk assessments
beyond threat and vulnerability:
- System-focused impact considers a system's role in
the organization
- Data-focused impact questions the data housed on
or accessible via the system

SUE Security Essentials

Impact
A final concept for understanding the risk equation is that of impact. In addition to the likelihood,
impact is a critically important concept for determining risk that is not overtly stated in the simplistic
Risk = Threat x Vulnerability equation.

Impact attempts to determine what the outcome of successful exploitation would be. Impact
determination will necessarily take into consideration the information system in question as well as
the data housed or processed by the information system.

The importance of impact is obvious. Two systems with the same vulnerability, accessibility, and
subject to the same threat characteristics will not always warrant the same level of response from a
security-perspective. The system's to the organization will make a significant difference
when determining what countermeasures are ultimately employed.

©2016 Dr. Cole

 Risk Analysis

• Now that we understand that simple equation,

Risk=Threat x Vulnerability, we have to apply it
- Risk analysis is the application process
• Goal: Determine where the level of risk is
unacceptable
- Select appropriate countermeasures
• Two primary approaches to risk analysis:
quantitative and qualitative risk analysis

S R C 501 Security Essentials

Risk Analysis
Now that the basic concepts that support the definition of risk are understood, we turn our attention
to the process of risk analysis. We don't simply calculate risk to know our level of risk. We analyze
risk so that we can understand it and make informed decisions about whether and which
countermeasures need to be employed.

The two primary approaches to risk analysis are the quantitative approach and the qualitative
approach. There is no right approach, as each has its own merits.

16 © 2 0 1 6 Dr. Cole
 Quantitative Risk Analysis

• Typically more desirable than qualitative from a

business standpoint
• Attempts to provide precise numerical values to
risk statements
- Honest calculations can be cumbersome
• Risk generally tied directly to monetary impacts
- Impact due to threat exploiting a vulnerability

Advanced Security Essentials

Quantitative Risk
Quantitative risk analysis is often thought to be preferable by those in business but is not always the
best approach for an organization.

As expected, quantitative analysis is numerically based and is almost always tied directly back to
money. For example, impact determination would be characterized by the cost to the business. Tying
the results of risk analysis back to dollars and cents is quite appealing for most organizations.

However, performing a thorough analysis that yields honest calculations can be quite difficult for
almost every organization. Determining with fidelity the value of the inputs into the risk equation is
terribly problematic. And unlike many other industries' risk-based metrics, information security data
is notoriously lacking and inconsistent.

© 2 0 1 6 Dr. Cole
 Quantitative Formulas

• Quantitative risk analysis depends on common

formulas for its calculations:
- Single Loss Expectancy (SLE)
-Annualized Rate of Occurrence (ARO)
- Annualized Loss Expectancy (ALE)
• Other important calculations include:
-Total Cost of Ownership (TCO)
- Return on Investment
- Cost/Benefit Analysis
SEC Essentials

Quantitative Formulas
Quantitative risk analysis focuses on numbers, bringing with it a number of formulas and metrics that
should be understood. The following are some of the key formulas used:

• Single Loss Expectancy (SLE) - SLE = EF x AV

• Annualized Rate of Occurrence (ARO)
• Annualized Loss Expectancy (ALE) - ALE = SLE x ARO

Additional calculations that are important to quantitative risk analysis as well as to other general
security considerations are:

• Total Cost of Ownership (TCO)

• Return on Investment (ROI)
• Analysis

We dig deeper into these calculations shortly.

18 ©2016 Dr. Cole

 Qualitative Analysis

• Qualitative analysis:
- Not as overtly tied to dollar amounts
associated with potential losses
- Considerably easier to calculate for most
environments
• Businesses might not consider as valuable
because of the lack of explicit dollar amounts
• Useful for prioritization of risks to be addressed

501 Advanced Security Essentials

Qualitative Analysis
On the other end of the spectrum from quantitative risk analysis is qualitative risk analysis. The focus
of qualitative risk analysis is not to produce detailed numbers directly related to actual monetary
figures.

Qualitative analysis is not as focused on precise calculations of money, which can make it
considerably easier to calculate. However, many businesses prefer the quantitative analysis's focus
on money, as it is far easier to plug those numbers into budgets and projections.

Still, qualitative risk analysis should not be ignored simply because businesses would prefer to get
dollar amounts. The truth is, a lot of the dollar amounts determined by quantitative analysis are often
wild guesses. Given the relative ease with which qualitative analysis can be performed, it might
actually be preferable.

© 2 0 1 6 Dr. Eric Cole

 Qualitative RA Matrix

• A common approach to IMPACT

qualitative risk analysis is to

build a risk matrix, such as Low Medium High
the one seen here
• Especially High 3 - 4 :
common in
IKELIHOO
vulnerability
Medium 2 3
analysis

Low 1 2 3

Qualitative RA Matrix
One of the key tools for performing qualitative risk analysis is the Risk Matrix. The Risk Matrix
illustrates the continuum of risk (in this case from high to low) by plotting the Likelihood and Impact
associated with a threat vulnerability pair.

Will populating the Risk Matrix yield dollar amounts associated with impacts that can be used
directly in ROI calculations? No. But if your goal is to identify the most significant risks to an
organization, this simple tool can prove extremely effective.

20 Dr. Cole
 Qualitative versus Quantitative RA

Quantitative Advantages Qualitative Advantages

Tied to $$$ to perform

likely
stakeholders
Not as subjective Great for prioritizing

Established and starting point

calculations

SEC Essentials

Qualitative Versus Quantitative RA

This chart highlights the relative advantages of quantitative and qualitative analyses.

Easier to perform

M o r e likely to sway stakeholders Yield rapid results

Not as subjective Great for prioritizing

Established practices and calculations Strong starting point

© 2 0 1 6 Dr. Cole
 Risk Management

Security is fundamentally about risk

Goal of risk management is to ensure that
risks are confined to an acceptable level
- Obviously, must know risks to ensure they
are acceptable
Perform risk analysis to determine risks
- selection performed to
reduce risks to an acceptable level

Advanced Security Essentials

Risk Management
As previously discussed in the introduction to risk, much of security professionals' jobs are centered
on dealing with issues of risk management. To that end, risk analysis is a key process that the
security professional needs to know.

Though we have already discussed quantitative and qualitative risk analysis, we will continue
reviewing risk analysis in more detail. Ultimately, the goal of analyzing risk is to understand the
current state of risk and make informed decisions about where items need additional scrutiny.

22 )2016 Dr. Cole

 Prioritizing Risk Reduction

• Risk must take into account the context of the organization and
system
• Not all vulnerabilities are created equal
- Even when it is the exact same vulnerability
• An effective risk reduction strategy needs to prioritize which
risks are reduced and how:
- Should all vulnerabilities for a critical system be remediated first?
- Should a commonly occurring vulnerability throughout the
enterprise be remediated first?
• Approach depends on the business and potential impact

Advanced Security Essentials

Prioritizing Risk Reduction

Naturally, it would be preferable if there were no risk at all. Unfortunately, organizations have
neither unlimited time or budget to address even all known vulnerabilities. So, risk reduction must be
prioritized. This is an additional output of our risk analysis: which are the most significant risks.

Effective risk management must prioritize a risk reduction strategy taking into account all the inputs
into the risk analysis equation as well as the time and cost to implement countermeasures capable of
eliminating or reducing risks to an acceptable level.

© 2 0 1 6 Dr. Cole
 Asset Identification

Understanding assets is key to effective risk

analysis and subsequent reduction:
-Cumbersome for large organizations
- If too onerous, focus on most overtly critical
systems first
Inventory and assess their role in the
organization

Advanced Essentials

Asset Identification
To manage risk, the risks must be understood. For the risks to be understood, we have to appreciate
the assets on which the vulnerabilities exist. Asset identification is a key phase of the risk analysis
process.

Simply having an accurate inventory of information systems proves difficult for many organizations,
let alone understanding the impact was the information system to be compromised. If too onerous,
organizations would do well to first focus on asset identification for critical information systems.

24 Dr. Cole
 Asset Evaluation

• Evaluate the asset's value:

-What would be the impact if this asset were
unavailable?
-What would be the impact if the data associated
with this asset were breached?
-What would be the impact if the data associated
with this asset were altered?
• Understand how uncertain the data obtained is

SEE Security Essentials

Asset Evaluation
Beyond merely identifying the information systems that exist in an organization, their role needs to
be appreciated.

Key questions pertaining to the identified assets are:

• What would be the impact if this asset were unavailable?
• What would be the impact if the data associated with this asset were breached?
• What would be the impact if the data associated with this asset were altered?

An additional consideration is to appreciate the lack of certainty associated with the answers to these
questions. This inherent uncertainty is one of the major challenges associated with quantitative
analysis.

©2016 Dr. Cole

 System-Specific Risk Analysis

• System-specific risk analysis:

- Individual systems' risk postures are analyzed
- Particular threats, vulnerabilities, and controls
are assessed from the system vantage point
- The impact is based upon the particular
information system, services provided, and data
housed/processed
• Individual system risk scores will be calculated
and carried forward to an overall risk
assessment
Advanced Essentials

System-Specific Risk Analysis

Though discussed abstractly, particular threats and vulnerabilities are analyzed in light of specific
information systems as opposed to in general. So the calculations that have been discussed from a
risk analysis standpoint will have to be performed many times over.

Thankfully, some of the data can be reused after calculating once, but this is still an onerous process.
Obviously, to understand a system's risk requires a detailed understanding of the asset's role and
value to the organization first. This information will inform us about the potential impact associated
with exploitation of vulnerabilities affecting this system.

26 ©2016 Dr. Cole

 Risk Determination

• Risk = Threat x Vulnerability sure looked like a simple

formula:
- Understand threats and their motivations
- Understand particular vulnerabilities and the likelihood of
exploitation
- Understand CIA impacts if exploited
- Understand controls that could limit the impact or decrease
the likelihood
- Perform this calculation for each particular vulnerability on
each system
- Aggregate the scores ... and, finally, determine overall risk

501 Essentials

Risk Determination
Now that all the components have been identified and analyzed, actual risk determination can be
performed.

Risk = Threat x Vulnerability sure looks like a simple formula, but now we can appreciate all that goes
into this calculation.

Threat involves understanding threat sources, their motivations and capabilities. Also we have to
understand particular vulnerabilities and the likelihood of successful exploitation. Presuming successful
exploitation, we must understand CIA impacts. We must also assess the current controls that could limit
the impact or decrease the likelihood. With all this, we can now perform the risk calculation for each
particular vulnerability on each system. Then we just have to aggregate the scores ... and, finally,
determine overall risk. And then, we get to do something about it, or not.

©2016 Dr. Cole

 Excessive Risk

Excessive risk does not necessarily mean

a lot of risk
-Simply means that the level of risk is
unacceptable to the decision makers
When determined that the risk exceeds
acceptable levels, the organization must
determine how to proceed

SEC Advanced Essentials

Excessive Risk
So, you have spent many sleepless nights and finally completed the individual and overall risk analysis.
Management will review and determine whether the determined risk level is acceptable. If not, then the
risk is excessive, which doesn't mean a lot of risk, but rather simply that the risk exceeds acceptable
levels.

If risk is determined to be excessive, the organization must determine what the response will be. There
are several different valid responses. Many expect that the default response to excessive risk would
simply be to decrease the risk directly. This is one, but not the only, valid response to excess risk.

28 ©2016 Dr. Eric Cole

Another random document with
no related content on Scribd:
And Christ their bodies see;
Little children, shall I play with you?
And you shall play with Me.
But then they answer’d Me ‘No,’
They were lords’ and ladies’ sons;
And I the meanest of them all,
Was born in an ox’s stall.”

6. “Though you are but a maiden’s child,

Born in an ox’s stall,
Thou art the Christ, the King of Heav’n,
And the Saviour of them all.
Sweet Jesus, go down to yonder town,
As far as the Holy Well,
And take away those sinful souls,
And dip them deep in hell.”

7. “Nay, nay,” sweet Jesus mildly said,

“Nay, nay, that must not be;
For there are too many sinful souls
Crying out for the help of Me.”
O then bespoke the angel Gabriel,
“Upon our good St. Stephen,
Although you’re but a maiden’s Child,
You are the King of Heav’n.”
[Listen] [MusicXML]
The First Nowell
 [Listen] [MusicXML]

1. The first Nowell the Angel did say

Was to certain poor shepherds in fields as they lay;
In fields where they lay keeping their sheep,
On a cold winter’s night that was so deep.
Chorus.
Nowell, Nowell, Nowell, Nowell!
Born is the King of Israel!

2. They looked up and saw a Star

Shining in the east beyond them far,
And to the earth it gave great light,
And so it continued both day and night.
Nowell, etc.

3. And by the light of that same Star

Three wise men came from country far;
To seek for a king was their intent,
And to follow the Star wherever it went.
Nowell, etc.

4. This Star drew nigh to the north-west

O’er Bethlehem it took its rest,
And there it did both stop and stay
Right o’er the place where Jesus lay.
Nowell, etc.

5. Then entered in those wise men three

Most reverently upon their knee,
And offered there, in His presence,
Both gold, and myrrh, and frankincense.
Nowell, etc.

6. Then let us all with one accord

Sing praises to our Heavenly Lord,
That hath made Heaven and earth of nought,
And with His blood mankind hath bought.
Nowell, etc.
The Cherry Tree Carol
 [Listen] [MusicXML]

1. Joseph was an old man,

An old man was he;
He married sweet Mary,
The Queen of Galilee.

2. As they went a-walking

In the garden so gay,
Sweet Mary spied cherries
Hanging over yon tree.

3. Mary said to Joseph,

With her sweet lips so mild,
“Pluck those cherries, Joseph,
For to give to my child.”

4. “O then,” replied Joseph,

With words so unkind,
“I will pluck no cherries
For to give to thy child.”

5. Mary said to cherry tree

“Bow down to my knee,
That I may pluck cherries,
By one, two, and three.”

6. The uppermost sprig then

Bowed down to her knee,
“Thus you may see, Joseph,
These cherries are for me.”

7. “O eat your cherries, Mary,

O eat your cherries now,
O eat your cherries, Mary,
That grow upon the bough.”
Dives and Lazarus
 [Listen] [MusicXML]

1. As it fell out upon a day,

Rich Dives made a feast,
And he invited all his friends,
And gentry of the best.

2. Then Lazarus laid him down and down,

And down at Dives’s door.
“Some meat, some drink, brother Dives,
Bestow upon the poor.”

3. “Thou’rt none of mine, brother Lazarus,

That lies begging at my door:
Nor meat nor drink will I give to thee,
Nor bestow upon the poor.”

4. Then Dives sent out his hungry dogs,

To bite him as he lay;
They had no power to bite at all,
But licked his sores away.

5. As it fell out upon a day,

Poor Lazarus sickened and died,
There came two Angels out of Heaven
His soul therein to guide.

6. As it fell out upon a day,

Rich Dives sickened and died,
There came two serpents out of Hell,
His soul therein to guide.

7. Then Dives looked with burning eyes,

And saw poor Lazarus blest;
“One drop of water, Lazarus,
To quench my flaming thirst!

8. “Oh! had I as many years to abide

 As there are blades of grass.
Then there would be an end; but now
Hell’s pains will never pass.”
The Holly and the Ivy